Facebook's "Osquery" Security Tool Available for Windows

Facebook announced on Tuesday the availability of an osquery version that can be used by security teams to quickly identify and analyze threats on their Windows networks.

Osquery is an instrumentation framework designed to allow users to easily and efficiently explore their operating system via SQL-based queries. Basically, osquery exposes the operating system as a relational database where processes, network connections, loaded kernel modules, hardware events and browser plugins are represented in SQL tables that can be easily queried.

The framework was released as open source in October 2014, but until now it had only been available for OS X and Linux. Facebook says its security team has been using osquery to, among others, collect data on browser extensions running on its corporate network. The information is compared to threat intelligence data and potentially malicious extensions can be quickly identified and removed.

“This proactive technique, known as ‘threat hunting,’ is an important enhancement to traditional detection-based security, but not yet offered by many commercial agents,” Nick Anderson, security engineer at Facebook, said in a blog post.

Facebook ported osquery to Windows with the help of engineers from enterprise security company Trail of Bits, which published a blog post detailing the challenges and benefits.

“Since osquery is cross platform, network administrators will be able to monitor complex operating system states across their entire infrastructure. For those already running an osquery deployment, they’ll be able to seamlessly integrate their Windows machines, allowing for far greater efficiency in their work,” Trail of Bits explained.

Users who want to leverage osquery for their Windows networks will have to build the application themselves from the available source code. For the time being, the tool can only be built on Windows 10. The osquery developer kit includes all the information and scripts needed for the process.

Osquery is one of the open source projects covered by Facebook’s bug bounty program, which means researchers can earn rewards if they find vulnerabilities. It’s also worth noting that osquery is the most popular repository on GitHub in the “security” category – it is even more popular than Rapid7’s Metasploit framework.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.